\begin{abstract}
%Security is a cross-cutting concern, making its enforcement in target systems a difficult and error-prone task. %Therefore, the ways used to integrate security into business applications and their enforcement mechanisms need to be rigorous and systematic. 
In this paper, we present a policy-based approach for automating the integration of security mechanisms into Java-based business applications. In particular, we introduce an expressive Domain Specific modeling Language (\textsc{Dsl}), called \emph{Security@Runtime}, for the specification of \emph{security configurations} of targeted systems. The \emph{Security@Runtime} \textsc{Dsl} supports the expression of \emph{authorization}, \emph{obligation} and \emph{reaction} policies, covering many of the security requirements of modern applications. Security requirements specified in security configurations are enforced using an \emph{application-independent} Policy Enforcement Point (\textsc{Pep})- Policy Decision Point (\textsc{Pdp}) architecture, which enables the \emph{runtime update} of security requirements. Our work is evaluated using two systems and its advantages and limitations are discussed.
\keywords{Java Security, Security Policies, Security Domain Specific Language, Access Control, Obligations}
\end{abstract}
